Our Web SSL VPN article written back in 2011 introduced this new wave of VPN services. This article extends the topic by covering the installation and configuration of Cisco’s SSL AnyConnect VPN for Cisco IOS Routers.

Web SSL VPN delivers the following three modes of SSL VPN access:

• Clientless - Clientless mode provides secure access to private web resources and will provide access to web content. This mode is useful for accessing most content that you would expect to access in a web browser such as Internet access, web-based intranet, webmail etc.

The advantage of SSL VPN comes from its accessibility from almost any Internet-connected system without needing to install additional desktop software.

Introducing Cisco SSL AnyConnect VPN - WebVPN

Cisco SSL AnyConnect VPN is a real trend these days – it allows remote users to access enterprise networks from anywhere on the Internet through an SSL VPN gateway using a web browser. During the establishment of the SSL VPN with the gateway, the client downloads and installs the AnyConnect VPN client from VPN gateway. This feature allows easy access to services within the company’s network and simplifies the VPN configuration on the SSL VPN gateway, reducing dramatically the administrative overhead for system administrators.

Regardless of the client (PC, smartphone etc), the router configuration remains the same, while the appropriate VPN client software is downloaded by the client connecting to the VPN gateway (router).

Smartphones such as iPhones (iPAD included) and Android can download the Cisco VPN AnyConnect Secure Mobility Client directly from iTunes (Apple) or the Google Play store respectively (android phones). To download it, connect to your store and search for ‘Cisco AnyConnect’.

IOS version 15.1.4(M7) or greater is required to correctly support Anyconnect Secure Mobility Client for Smartphone clients (Android, iPhone, etc). For Windows Anyconnect clients, it is highly recommended to use IOS 12.4(20)T or greater. Also keep in mind that IOS 12.4 does not require any license activation for the Webvpn service.

This article will use a Windows 7 workstation and Samsung Galaxy SII running Ice Cream Sandwich (4.0.4), as mobile clients.

To download VPN AnyConnect Secure Mobility Client packages files for Windows, MacOS X and Linux platforms, free, simply visit our Cisco Download section. The latest version of the client was made available at the time of writing this article.

Once our client is downloaded and installed on our Windows 7 workstation it will be ready to initiate the VPN connection to our VPN Gateway:

The first step is to upload the Cisco AnyConnect client to the router’s flash memory. Depending on the type of clients you might need to upload more than one VPN AnyConnect client package. For our article, we will be using the latest VPN AnyConnect client for Windows, which at the time of writing was version 3.1.00495 (anyconnect-win-3.1.00495-k9.pkg). This client is available for download in our Cisco Download Section.

Generate RSA Keys

The next step is to generate our RSA 1024bit keys. The crypto key generate rsa command depends on the hostname and ip domain-name commands. This crypto command generates a Rivest, Shamir, Adleman (RSA) key pair, which includes one public RSA key and one private RSA key, with a key modulus size of 1024 (usually):

R1(config)# crypto key generate rsa label my-rsa-keys modulus 1024

The name for the keys will be: my-rsa-keys

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 1 seconds)

Note: The crypto key generate rsa command will not appear in the router’s running or startup configuration

Declare the Trustpoint & Create Self-Signed Certificate

Once complete, we need to declare the trustpoint that the router should use by using the command crypto pki trustpoint command in global configuration mode. When declaring a trustpoint, we can specify certain characteristics in its subcommands as shown in our configuration:

crypto pki trustpoint my-trustpoint

enrollment selfsigned

subject-name CN=firewallcx-certificate

rsakeypair my-rsa-keys

!

crypto pki enroll my-trustpoint

% Include the router serial number in the subject name? [yes/no]: yes

% Include an IP address in the subject name? [no]: no

Generate Self Signed Router Certificate? [yes/no]: yes

Router Self Signed Certificate successfully created

Configure WebVPN Pool IP Addresses

WebVPN users will need to be assigned a LAN IP address so they can communicate with our network. The following command specifies the pool of ip addresses that will be assigned to our users. This can be either part of our LAN network or a completely different network. Since we have plenty of spare IP addresses, we’ll be using a small portion of them:

It could be that AAA is already enabled on the router, in which case we only need to define an authentication list (we named it ‘sslvpn’) to use the router’s local user database for user authentication.

Enable WebVPN License

When the WebVPN service is enabled for the first time on an ISR Generation 2 Cisco router (1900, 2900 & 3900 series), with the 15.x version IOS software or newer, the router will prompt us to accept the End-User License Agreement (EULA) before enabling and activating the service.

It is imperative to accept the EULA in order to proceed:

R1(config)# webvpn gateway Cisco-WebVPN-Gateway

PLEASE READ THE FOLLOWING TERMS CAREFULLY. INSTALLING THE LICENSE OR

LICENSE KEY PROVIDED FOR ANY CISCO PRODUCT FEATURE OR USING SUCH

PRODUCT FEATURE CONSTITUTES YOUR FULL ACCEPTANCE OF THE FOLLOWING

TERMS. YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND

BY ALL THE TERMS SET FORTH HEREIN.

……. Output omitted

Activation of the software command line interface will be evidence of

your acceptance of this agreement.

ACCEPT? [yes/no]: yes

After accepting the EULA, we can verify the WebSSL VPN service is activated by issuing the show license all command. Usually StoreIndex 4 contains the WebSSL VPN reference:

R1# show license all

License Store: Primary License Storage

StoreIndex: 0 Feature: ipbasek9 Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

StoreIndex: 1 Feature: securityk9 Version: 1.0

License Type: Permanent

License State: Active, In Use

License Count: Non-Counted

License Priority: Medium

License Store: Built-In License Storage

StoreIndex: 0 Feature: securityk9 Version: 1.0

License Type: EvalRightToUse

License State: Inactive

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 4 days

Period used: 0 minute 0 second

License Count: Non-Counted

License Priority: None

StoreIndex: 4 Feature: SSL_VPN Version: 1.0

License Type: EvalRightToUse

License State: Active, In Use

Evaluation total period: 8 weeks 4 days

Evaluation period left: 8 weeks 3 days

Period used: 0 minute 1 second

Transition date: Nov 18 2012 22:14:16

License Count: 100/0 (In-use/Violation)

License Priority: Low

Notice the License Type mention: EvalRightToUse. This means that this is an evaluation license, a license to evaluate. At the end of the 8 ½ week evaluation period, the ISRG2 Cisco router license will not terminate the Web SSL_VPN license, and it will continue to work.

License Activation applies only to IOS 15.x version. The 12.4 series IOS does not require license activation

Configure and Enable WebVPN Gateway

After taking care of the licensing it’s time to begin working on the WebVPN Virtual Gateway configuration. The WebVPN Virtual Gateway enables the interface or IP address and port number to which the WebVPN service will ‘listen’ for incoming connections and also determines the encryption that will be used.

webvpn gateway Cisco-WebVPN-Gateway

ip address 74.200.90.5 port 443

ssl encryption rc4-md5

ssl trustpoint my-trustpoint

inservice

Note: If the interface the WebVPN will be running on has a dynamic IP address, for example Dialer0 (ATM ADSL Interface), the ip address 74.200.90.5 port 443 command can be replaced with ip interface Dialer0 port 443, where ‘Dialer0’ is the dynamic interface.

Note: There is a big bug that causes Windows clients browser to report errors such as ""The page isn't redirecting properly"" when trying to connect to the SSL WebVPN Gateway. According to Cisco, this bug surfaces as a Windows machine gets updated with security update KB2585542. Cisco's workaround solution is to use the rc4-md5 encryption instead, as shown above.

For those interested in reading up on this bug, Cisco has assigned bug ID: CSCtx38806 with the description "IOS SSL VPN fails to connect after microsoft security update KB258554".

Configure and Enable SSL VPN Context

The SSL VPN context is used to configure a number of parameters for our Web VPN server, these include:

Gateway and domain associated

AAA user authentication method

Group policy associated

The remote user portal (web page)

Limit number of WebVPN SSL user sessions

Most of these parameters are configured in our group policy. This group policy is then set as the default-group policy for our Web SSL VPN.

webvpn context Cisco-WebVPN

title "Firewall.cx WebVPN - Powered By Cisco"

!

acl "ssl-acl"

permit ip 192.168.9.0 255.255.255.0 192.168.9.0 255.255.255.0

login-message "Cisco Secure WebVPN"

!

policy group webvpnpolicy

functions svc-required

functions svc-enabled

filter tunnel ssl-acl

svc address-pool "webvpn-pool" netmask 255.255.255.0

svc rekey method new-tunnel

svc split include 192.168.9.0 255.255.255.0

Let’s explain what all the above commands do:

The webvpn context command is used to create a context named which we have named Cisco-WebVPN. The title command sets the text that will be displayed at the web browser’s Page Title and at the top of the login screen.

The acl “ssl-acl” command configures the access lists for this context. It basically governs what the web vpn users will have access to. We’ve provided our webVPN users full access to the 192.168.9.0 network.

Our webvpn users' IP addresses have already been defined in the webvpn-pool (192.168.9.80 to 192.168.0.85). Instead of typing each IP address within that range into our ACL list we simply configure the router to allow the 192.168.9.0 network as a source and destination in our VPN tunnel. This ensures any IP in the 192.168.9.0 range assigned to our vpn clients will have access to our LAN (192.168.9.0)

The login-message command defines the text that will be shown in the login section of the webvpn webpage. These messages are also visible in our WebVPN login screen at the beginning of our article.

Since our webvpn pool is part of the same network we just set the 192.168.9.0 network as the source and destination IP address.

Next, we define a group policy. The group policy configures a number of important parameters. We named our group policy webvpnpolicy.

The functions svc-enabled & svc-required commands ensure tunnel-mode is enabled and required. The combination of these two commands will force the VPN user’s PC to start downloading the AnyConnect software client as soon as he authenticates successfully. This is called tunnel-mode operation.

Alternatively, without the svc-required command, a webpage will be presented from which the user can directly launch any configured web service in our webvpn portal or selectively initiate tunnel-mode and start downloading the AnyConnect software client.

During the installation, the user will receive a number of prompts & security warnings about the publisher and website’s certificate verification. Administrators and engineers should instruct their VPN users to accept/allow the installation of the certificates and software client when prompted.

Shortly after the acceptance of certificates and confirming to the web browser to allow the installation of the client, the AnyConnect Secure Mobility Client Downloader will begin:

The filter tunnel ssl-acl command instructs the webvpn gateway to use ssl-acl access list to define the access vpn users will have.

The svc address-pool command defines the pool that will be used to assign IP addresses to our vpn users.

The svc rekey method new-tunnel specifies that the SVC establishes a new tunnel during SVC rekey.

The svc split command enables split tunneling, instructing which network traffic will be sent through the vpn tunnel. If this command is not included, vpn users will not be allowed to access the Internet while connected to the vpn.

Configure Default Group Policy, Authentication List and Final Parameters

Now we will configure the policy we just created as the default policy, set the aaa authentication list (sslvpn) to be used for user authentication and maximum users for the service. Lastly, we enable our webvpn context:

default-group-policy webvpnpolicy

aaa authentication list sslvpn

gateway Cisco-WebVPN-Gateway

max-users 2

!

ssl authenticate verify all

!

url-list "rewrite"

inservice

The ssl authenticate verify all command enables SSL configurations for backend server connections. While we are not using any such backend services, it’s a good option to always have enabled.

Supporting Multiple Group Policies on AnyConnect

Administrators and engineers who have worked with the classic Cisco IPSec VPN client will wonder how they can support multiple groups with different access rights using AnyConnect. The fact is that AnyConnect does support multiple groups, however it requires a radius server at the backend.

AnyConnect on a Cisco router without a radius server will only allow support for one group policy.